Hey all,

I’ve been working on a pattern I’d love to get this community’s feedback on.

The problem I keep hitting: Vault is great at minting short-lived dynamic credentials, but most workloads — agents, pods, pipelines — still end up with a credential sitting on disk or in memory for the lifetime of the token. Vault Agent + templating helps, but it still distributes the secret to the client. The blast radius if that workload is compromised is the full TTL of whatever was issued.

The approach I’ve been exploring: instead of handing the credential to the workload, put a proxy in front of the egress path. The workload authenticates to the proxy with its own identity (JWT, mTLS, SPIFFE), the proxy pulls a short-lived credential from Vault, and re-signs the outbound request (SigV4, bearer tokens, etc.) on the way out. The client never sees the secret.

A few things I’m curious about:

• For folks running Vault Agent at scale — where has the “credential on the client” model bitten you, if at all?

• Anyone tried similar re-signing patterns? I’ve seen bits of this in service meshes but rarely tied back to Vault as the source of truth. • How are you handling binary-protocol targets (Postgres, MySQL, Mongo) where you can’t just re-sign an HTTP request? I’ve been building this out as an open-source project called Warden if anyone wants to look at a concrete implementation: https://github.com/stephnangue/warden — but mostly interested in hearing how others are solving this, especially if you’ve gone a different direction.

Thanks.

[留言]

为什么值得关注

原内容本身有足够细节,不是表面信息;符合当前抓取需求;原内容本身有足够细节,不是标题党或空洞总结

来源:reddit,领域:projects,保留分:0.55